Ten Operators, Nine Campaigns, and a Backend With No Password: How a Single Vercel URL Exposed a Two-Year Korean Phishing Syndicate
arnptec.com has directory listing enabled with ten named operator directories, nine phishing campaigns, and two years of activity
@skocherhan flagged a Vercel-hosted phishing page: curly-spoon-sigma[.]vercel[.]app. An auto-generated project name on a free-tier platform. We expected a throwaway credential harvester. What we found was a fully exposed backend revealing a ten-person phishing operation that has been running for two years.
The Backend Has No Door
The phishing page at curly-spoon-sigma[.]vercel[.]app impersonates a Naver login. Credentials entered by victims are POSTed — via base64-encoded AJAX — to arnptec[.]com/team24/nvvvr/mab/send.php.
We visited arnptec[.]com. Directory listing is enabled. No authentication. No .htaccess restrictions. The entire operation is browsable:
/team24/
/alfred/
/brian/
/bsktdrp/
/ethan/
/gates/
/jeremy/
/kk/
/mab/
/stv/
/stvcooper/
Ten operator directories. Each containing phishing kits, exfiltration scripts, and campaign files. A second tree at /fresh/ serves as a template repository — clean copies of kits ready for deployment.
Ten Named Operators
The directory structure reveals a multi-operator syndicate where each member runs their own campaigns under a shared infrastructure:
| Operator | Campaigns |
|---|---|
| alfred | General Korean phishing |
| brian | Naver + Daum/Kakao |
| bsktdrp | eCount ERP |
| ethan | Naver |
| gates | Naver + WeTransfer |
| jeremy | Cafe24 |
| kk | Korean webmail |
| mab | Naver (active — curly-spoon-sigma) |
| stv | Korean corporate |
| stvcooper | WHOIS + domain services |
mab is the operator behind the Vercel page that triggered this investigation. Their send.php receives the stolen credentials and likely forwards them to a Telegram bot or email drop.
Nine Target Platforms
The syndicate focuses overwhelmingly on South Korean services:
- Naver — Korea's dominant portal (email, search, shopping)
- Daum/Kakao — Korea's second-largest portal and messaging platform
- Cafe24 — Korean e-commerce hosting platform
- eCount — Korean ERP/accounting software
- WeTransfer — File sharing service
- WHOIS — Domain registration services
- Webmail — Generic corporate email
- General credential — Multi-purpose phishing
- Korean corporate — Targeted business phishing
The Korean targeting pattern aligns with Kimsuky/APT43 operations, but this could also be a financially motivated Korean-language cybercrime syndicate. The operator names (alfred, brian, gates, jeremy) suggest English-speaking or English-adopting operators using Western aliases.
The Double-Tap
The Naver phishing kit uses a double-tap password collection technique: the victim enters their password, receives a "wrong password" error, and enters it again. Both entries are captured and exfiltrated. This catches victims who initially type quickly and may mistype — the second entry is almost always correct.
Two Years of Activity
Directory timestamps span from April 2024 to present. The curly-spoon-sigma Vercel deployment is the latest in a series — two other Vercel projects (crispy-fortnight-mocha and scaling-octo-chainsaw) have been disabled, likely after abuse reports. The operators simply create new Vercel projects when old ones are burned.
Three Vercel Projects
| Project | Status |
|---|---|
curly-spoon-sigma[.]vercel[.]app | LIVE |
crispy-fortnight-mocha[.]vercel[.]app | Disabled |
scaling-octo-chainsaw[.]vercel[.]app | Disabled |
All three are auto-generated Vercel project names, confirming free-tier abuse. Vercel's free tier requires no payment method — the operators can create unlimited projects with throwaway accounts.
Indicators of Compromise
Network Indicators
curly-spoon-sigma[.]vercel[.]app(active Naver phishing)arnptec[.]com(backend — open directory, exfil endpoint)arnptec[.]com/team24/(operator directories)arnptec[.]com/fresh/(template repository)
Exfil Endpoint
arnptec[.]com/team24/nvvvr/mab/send.php(credential POST target)
Operators
- alfred, brian, bsktdrp, ethan, gates, jeremy, kk, mab, stv, stvcooper
Detection
Three YARA rules and nine Suricata signatures are available on our GitHub:
Ten operators. Nine campaigns. Two years. Zero authentication on the backend. Investigation conducted autonomously by GHOST -- Breakglass Intelligence.
h/t @skocherhan for the initial URL.